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Abstract 

In a previous work ("Abstract Data Type Systems", TCS 173(2), 1997), the last two 
■ authors presented a combined language made of a (strongly normalizing) algebraic 

. rewrite system and a typed /-calculus enriched by pattern-matching definitions fol- 

lowing a certain format, called the "General Schema", which generalizes the usual 
recursor definitions for natural numbers and similar "basic inductive types". This 
combined language was shown to be strongly normalizing. The purpose of this pa- 
per is to reformulate and extend the General Schema in order to make it easily 
extensible, to capture a more general class of inductive types, called "strictly posi- 
es ■ tive" , and to ease the strong normalization proof of the resulting system. This result 
J> , provides a computation model for the combination of an algebraic specification lan- 
guage based on abstract data types and of a strongly typed functional language 
5_i ■ with strictly positive inductive types. 
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1 Introduction 



This work is one step in a long term program aiming at building formal speci- 
fication languages integrating computations and proofs within a single frame- 
work. We focus here on incorporating an expressive notion of equality within 
a typed /-calculus. 
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In retrospect, the quest for an expressive language allowing to specify and 
prove mathematical properties of software started with system F on the one 
hand [23,24] and the Automath project on the other hand [15]. Much later, Co- 
quand and Huet combined both calculi, resulting in the Calculus of Construc- 
tions [13]. Making use of impredicativity, data structures could be encoded in 
this calculus, but these encodings were far too complex to be used by non- 
specialists. A different approach was taken by Martin-L6f [32,33], whose theory 
was based on the notion of inductive definition, originating in Godel's system 
T [25]. Coquand and Paulin-Mohring later incorporated a similar notion to 
the Calculus of Constructions under the name of inductive type [14]. But de- 
spite their legitimate success, inductive types are not yet enough to make the 
Calculus of Inductive Constructions an easy to use programming language for 
proofs. The main remaining problem is that of equality. In the current version 
of the calculus, equality is given by /^-reductions, the recursor rules associ- 
ated with the inductive types -corresponding to structural induction in the 
Curry- Howard isomorphism-, and the definitional rules for constants by prim- 
itive recursion of higher type. This notion of equality has two main practical 
drawbacks: it makes the definition of functions sometimes painful for the user, 
by forcing the user to think operationally rather than axiomatically; it makes 
it necessary to spell out many equational proofs that could be short-cutted if 
the corresponding equality could be equationally specified in the calculus. 

It should be clear that this problem is not specific to the Calculus of Inductive 
Constructions. It also shows up in other versions of type theory where equal- 
ity is not a first-class concept, for example, in Martin Lf's theory of types. 
A solution was proposed by Coquand, for a calculus with dependent types, 
in which functions can be defined by pattern-matching, provided all right- 
hand side recursive calls are "structurally smaller" than the left-hand side call 
[12]. His notion is very abstract, though, and relies on a well-foundedness as- 
sumption which is satisfied in practice. Concurrently, following the pioneering 
works of Tannen [8], Tannen and Gallier [9,10] and Okada [40], the last two 
authors of the present paper proposed another solution, for a polymorphically 
typed /-calculus, based on pattern-matching functional definitions following 
the so-called "General Schema" [27,28]. This work was then generalized so as 
to cover the full Calculus of Constructions [1,2,3]. As in Coquand [12], the 
idea of the General Schema is to control the arguments of the right-hand side 
recursive calls of a rule-based definition by checking that they are smaller than 
the left-hand sides ones, this time in the strict subterm ordering extended in 
a multiset or lexicographic manner. This schema was general enough to sub- 
sume basic inductive types, such as nat = nat l±l s nat (nat), in the sense that 
the associated recursor rules are instances of the General Schema. In contrast 
with Coquand's proposal, it does not subsume non-basic inductive types, such 
as ord = ord l±l s ord (ord) l±l /im(nat — > ord), whose constructor lim takes an 
argument of the functional type nat — > ord. On the other hand, the use of 
multiset and lexicographic extensions allows to tailor the comparisons to the 



2 



practical needs, making it possible to have nested recursive calls, an important 
facility that Coquand's ordering cannot provide with. Finally, it is important 
to note that, in contrast with other work [35,20], our definitions allow non- 
linear and overlapping left-hand sides, to the price of checking confluence via 
the computation of critical pairs. 

The fact that the General Schema covers only a limited portion of the possible 
inductive types of the Calculus of Inductive Constructions shows a weakness, 
and indeed, functions defined by induction over such inductive types cannot be 
defined within the schema. The purpose of this paper is to revisit the General 
Schema so as to cover all strictly positive inductive types. The solution is 
based on an essential use of the positivity condition required for the inductive 
types. We do so within the framework of Church's simple theory of types, 
therefore avoiding the problem of having equalities at the type level via the 
use of dependent types. Closing the gap between the simple theory of types and 
the Calculus of Inductive Constructions will require further generalizations of 
the General Schema allowing for dependent and polymorphic inductive types. 

The strong normalization proof of our new calculus is based on Tait's com- 
putability predicates method [46,24]. In contrast with [28], the whole structure 
of the proof is made quite modular thanks to a novel formulation of our new 
version of the General Schema. Here, given a left-hand side /(/), we define the 
(infinite) set of possible right-hand sides r such that the rule f(l) — > r follows 

— * 

the schema. This set of right-hand sides is generated inductively from / by 
computability preserving operations. This new definition, as it can be easily 
seen, is strictly stronger than the previous one, allows to reason by induction 
on the construction of the set of possible right-hand sides, and is easily exten- 
sible. This latter feature should prove very useful when extending the present 
work to the Calculus of Inductive Constructions. 

We define our language in Section 2, ending with the new definition of the 
General Schema in Subsection 2.3. The normalization proof is given in Sec- 
tion 3. In Section 4, we detail many examples and explain possible extension 
of the General Schema in order to be able to prove some of them. We conclude 
in Section 5 with two more, important open problems. 



2 Inductive Data Type Systems 

Intuitively, an Inductive Data Type System (IDTS) is a simply-typed /-calculus 
in which each base type is equipped with a set of constructors together with 
the associated structural induction principle in the form of Godel's primitive 
recursive rules of higher type and additional function symbols (completely) 
defined by appropriate higher-order rewrite rules. The former kind of rules 
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can actually be seen as a particular case of the latter, resulting in a uniform 
formalism with a strong rewriting flavor. In the sequel, we assume the reader 
familiar with the notions of /-calculus and term rewriting, as presented in [4] 
for the simply-typed /-calculus, [16] for term rewriting and [31,39,49] for the 
several variants of higher-order rewriting existing in the literature. 

We first introduce the term language before to move on with the definition of 
higher-order rewrite rules and of the new formulation of the General Schema. 



2.1 The language 



In this subsection, we introduce successively the signature (made of inductive 
types, constructors and function symbols) and the set of well-formed terms 
before to end up with the set of computational rules. 



2.1.1 Signature 

Definition 1 (Types) Given a set X whose elements are called inductive 
types, the set T of types is generated by the following grammar rule: 

s = s | (s — > s) 

where s ranges over X. Furthermore, we consider that — > associates to the 
right, hence Si — > (s 2 - ► s 3) can be written si — > s 2 — > S3. 

The sets of positive and negative positions of a type s are inductively defined 
as follows: 

Pos + (s eX) = e 

Pos-(seX) = 
Pos + (s^t) = l-Pos-(s) U 2-Pos + {t) 
Pos (s^t) = l-Pos + (s) U 2-Pos (t) 

We say that an inductive type t occurs positively in a type sift does occur in 
s and every occurrence oft in s belongs to Pos + (s). t is said to occur strictly 
positively in Si —>...—> s n — > t if t occurs in no Sj. 

This notion of positivity/negativity associated to the type constructor — > is 
similar to the one used in logic with respect to the implication operator =^ (as 
can be expected from the Curry- Howard isomorphism). Note that if s does 
not occur positively in t then, either s does not occur in t or else s occurs at 
a negative position in t. For example, ord occurs positively in s = nat — > ord 
since it occurs in s at the set of positive positions {1} C Pos + (s) = {!}. In 
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fact, it does occur strictly positively since ord does not occur in nat. On the 
other hand, ord does not occur positively in t = ord — * ord since it occurs at 
the negative position 1 G Pos~(t) — {1}. 

Definition 2 (Constructors) We assume that each inductive type s G X 
comes along with an associated setC(s) of constructors, each constructor C G 
C(s) being equipped with a type t(C) = s\ — > . . . — > s n — > s. n is called the 
arity o/C and we denote by C n the set of constructors of arity n. We assume 
that the sets C(s) are pairwise disjoint. 

Constructor declarations define a quasi- ordering on I: an inductive type s 
depends on an inductive type t, written s > x t, if t occurs in the type of a 
constructor C G C(s). (In fact, we consider the reflexive and transitive closure 
of this relation.) We use =j and >j for respectively the equivalence and the 
strict ordering associated to >x and say that s is X-equivalent to t if s —x t . 

Definition 3 (Strictly positive inductive types) An inductive type s is 
said to be strictly positive if it does not occur or occurs strictly positively in 
the types of the arguments of its constructors, and no type X-equivalent to s 
occurs at a negative position in the types of the arguments of the constructors 
of s. A strictly positive type is basic if its constructors have no functional 
arguments. 

Assumption 1: We assume that > x is well-founded and that all inductive 
types are strictly positive. 

To spell out the strict-positivity condition, assume that an inductive type 
s has n constructors Ci,...,C n with r(Cj) = s itl s ijni — > s and 

Sij = Sij^i Si t j^ ni . — > tjj. Then, s is strictly positive if tjj <% s, s 

occurs in no s^j^ and no type X-equivalent to s occurs at a negative position 
in some Sjj. It is basic if, moreover, nij = for all 

Examples of type definitions used in the paper are bool for booleans, nat 
for natural numbers, list_nat for lists of natural numbers (we do not con- 
sider polymorphic types here), tree and list_tree for the mutually inductive 
types of trees and lists of trees, proc for process expressions [44] (5 denotes 
the deadlock, ";" the sequencing, + the choice operator and E the dependent 
choice), ord for well-founded trees, i.e. Brouwer's ordinals [45], form for for- 
mulas of the predicate calculus and R for expressions built upon real numbers 
[42]: 

• bool = true : bool | false : bool 

• nat = : nat | s : nat — > nat 

• listnat = nil : listnat | cons : nat — > listnat — > listnat 

• tree = node : listtree — > tree 

• listtree = nil : listtree I cons : tree — * listtree — > listtree 
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• proc = 5 : proc | ; : proc — > proc — > proc | + : proc — > proc — > proc | E : 
(data — > proc) — > proc 

• ord = : ord | s : ord | lira : (nat — > ord) — > ord 

• form = V : form — > form — > form | -i : form — > form | V : (term — > form) — > 
form | ... 

• R = 0:R|1:R|+:R—>R—>R| cos :R—>R|Zn:R—>R| ... 

All types above are basic, except ord and form which are strictly positive. We 
have used the same name for constructors of different types, but we should 
not if they have to live together. For the sake of simplicity, we will continue 
in practice to overload names when there is no ambiguity, otherwise we will 
disambiguate names as in nat . Our inductive types above are inhabited by 
expressions built up from their constructors, as for example W(lx.(P x)A(Q x)) 
which represents the logical formula \/x P(x) A Q(x). 

A more general class of inductive types is the one of positive inductive types. 
An inductive type is said to be positive if it occurs only at positive positions 
in the types of the arguments of its constructors (the case of mutually in- 
ductive types is defined similarly, by requiring that any type equivalent to it 
occurs only at positive positions in the types of the arguments of its construc- 
tors). The positivity condition ensures that we can define sets of objects by 
induction on the structure of the elements of the inductive type: it implies the 
monotonicity of the functional of which the set of objects is the least fixpoint. 
The class of positive inductive types is the largest class that one can consider 
within the framework of the simply-typed /-calculus, since any non-positive 
type is inhabited by non-terminating well- typed terms in this framework [36]. 
In this paper, we restrict ourselves to strictly positive inductive types, as in 
the Calculus of Inductive Constructions [51], and prove the strong normaliza- 
tion property of our calculus under this assumption. However, we conjecture 
that strong normalization holds in the non-strictly positive case too. 

Definition 4 (Function symbols) For each non empty sequence Si, . . . , s n , 
s of types, we assume given a set J r Sly .. )SnyS of function symbols containing 
the constructors of arity n and type s± —>...—> s n — > s. Given a symbol 
f G J 7 si,...,s n ,s> n i s its arity and r(f) — Si s n — > s its type. We 

denote by T n the set of function symbols of arity n and by T the set of all 
function symbols. 

We also assume given a quasi- ordering >jr on T , called precedence, whose 
associated strict ordering >p is well-founded. 

For example, we may have an injection function % from nat to ord. Then, 
lim(ln.i(n)) represents the first limit ordinal u> as the limit of the infinite 
sequence of ordinals 0, s(0), s(s(0)), . . . We will later see how to define this 
injection function in our calculus. 
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2.1.2 Terms 



Definition 5 (Terms) Given a family (X s ) se r of disjoint infinite sets of 
variables with X denoting their union, the set of untyped terms is defined 
by the grammar rule: 

u — x | Ix.u | (u u) | f(ui, . . . , u n ) 

where f ranges over T n and x over X . Ix.u denotes the abstraction of u 
w.r.t. x, i.e. the function of parameter x and body u, while (u v) denotes the 
application of the function u to the term v. A term of the form f(ui, . . . , u n ) 
is said to be function-headed and constructor-headed if f EC. 

The family of sets (L s ) se q- of terms of type s is inductively defined on the 
structure of terms as follows: 

• if x E X s then x E L s , 

• if x E L s and u E L l then Ix.u E I s " 1 , 

• ifuE L 8 " 1 and v E If then (u v) E L l , 

• if f is a function symbol of arity n and type s\ — > . . . — + s n — > s and 
ui E L Sl , . . . ,u n E L s " then f(u X) . . . ,u n ) E L s . 

Finally, we denote by L = {J se q- L s the set of terms of our calculus. The type 
of a term u is the (unique) type t E T such that u E L l . We may use the 
notation u : t to indicate that u is of type t. 

Note that we could have adopted a presentation based on type-checking rules. 
The reader will easily extract such rules from the definition of the sets L s . 

As usual, we consider that the application associates to the left such that 
((ui u 2 ) U3) can be written (ui u 2 M3). The sequence of terms u\...u n is 
denoted by the vector u of length \u\ = n. We consider that (v u) and Ix.v 
both denote the term v if u or x is the empty sequence, and the respective 
terms (. . . ((v U\) u 2 ) . . . u n ) and lx\ . . . lx n .v otherwise. 

After Dewey, the set Pos(u) of positions in a term u is a language over the 
alphabet of strictly positive natural numbers. The subterm of a term u at 
position p E Pos(u) is denoted by u\ p and the term obtained by replacing u\ p 
by a term v is written u[v] p . We write u > v if v is a subterm of u. 

We denote by FV{u) the set of free variables occurring in a term u. A term 
in which a variable x occurs freely at most once is said to be linear w.r.t. x, 
and a term is linear if all its free variables are linear. 

A substitution 9 is an application from X to L, written in a postfix notation 
as in x9. Its domain is the set dom{6) = {x E X \ x9 ^ x}. A substitution 
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is naturally extended to an application from L to L, by replacing each free 
variable by its image and avoiding variable captures. This can be carried out by 
renaming the bound variables if necessary, an operation called a-conversion. 
As usual, we will always work modulo a-conversion, hence identifying the 
terms that only differ from each other in their bound variables. Furthermore, 
we will always assume that free and bound variables are distinct and that 
bound variables are distinct from each other. Finally, we may use the notation 
{x I— > u} for denoting the substitution which associates Ui to Xi for each i. 

2.1.3 Computational rules 

Our language is made of three ingredients: a typed /-calculus, a set of inductive 
types with their constructors and a set of function symbols. As a consequence, 
there will be three kinds of rules in the calculus: the two rules coming from 
the /-calculus, 

(Ix.u v) — u{x i— > v} 

lx.(u x) — ^ u if x ^ FV{u) 

the rules associated with the inductive types, for example: 

natrec(X, Y, 0) -> X 
natrec(X, Y, s(n)) — > (Y n natrec(X, Y, n)) 

for the inductive type nat, and the rules used for defining the function symbols, 
for example: 

*(0nat) ~~ > Oord 

i(snat(aO) -> s 0Id (i(x)) 

for the injection function from nat to ord. We can immediately see that the 
recursor rules look very much like the rules defining the injection. We will show 
in Section 4 that the recursor rules for strictly positive inductive types follow 
the General Schema defined in Subsection 2.3 and, therefore, the recursor rules 
need not be singled out in our technical developments. 

2.2 Higher-order rewriting 

Before to define the General Schema precisely, we need to introduce the no- 
tion of higher-order rewriting that we use. Indeed, several notions of higher- 
order rewriting exist in the literature. Ours is the simplest possible: a term u 
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rewrites to a term v! by using a rule I — > r if u matches the left-hand side / 
or, equivalently, if u is an instance of / by some substitution 9. Matching here 
is syntactic, that is, u is a-convertible to the instance of I. In contrast, the 
more sophisticated notions of higher-order rewriting defined by Klop (Com- 
binatory Reduction Systems [30,31]), Nipkow (Higher-order Rewrite Systems 
[39,34]) and van Raamsdonk and van Oostrom (Higher-Order Rewriting Sys- 
tems [49,50], generalizing both) are based on higher-order pattern- matching, 
that is, u must be /3?7Q;-convertible to the instance of /. 

Definition 6 (Rewrite rules and rewriting) A rewrite rule is a pair I — > 
r of terms such that: 

(1) I is headed by a function symbol, 

(2) FV{r) C FV(l), 

(3) I and r have the same type. 

Given a set R of rewrite rules, a term u R-rewrites to a term u' at position 
p G Pos{u) with the rule I — > r G R, written u — > P R u' , if there exists a 
substitution 6 such that u\ p — 16 and u' = u[r9] p . 

The defining rules of a function symbol f are the rules whose left-hand side is 
headed by f . 

Condition (3) ensures that the reduction relation preserves types, that is, u 
and u' have the same type if u — >r u', a property called subject reduction. 

We now give two more (classical) examples defining, for the first, the (formal) 
addition on Brouwer's ordinals and, for the second, some functions over lists. 
The first example is paradigmatic in its use of strictly positive types which are 
not basic. The second example uses a rule with an abstraction in the left-hand 
side. More complex examples of the second kind will be given in Section 4. 

For the (formal) addition of Brouwer's ordinals, 

x + — > x 
x + s(y) — > s(x + y) 
x + lim(F) — > lim(ln.(x + (F n))) 

note that the first two rules are just a first-order ones, hence a special case of 
higher-order rule. More important, note the need of an abstraction in the right- 
hand side of the last rule to bind the variable n needed for using the higher- 
order variable F taken from the left-hand side. This makes the termination 
proof of this set of rules a difficult task. In our case, the termination property 
will be readily obtained by showing that these rules follow our (improved) 
definition of the General Schema. The difficulty, of course, is simply delegated 
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to the strong normalization proof of the schema. 



About Brouwer's ordinals [45], note that only a suitable choice of F's provides 
a semantically correct ordinal notation and that, for such a correct notation, 
the above formal definition provides semantically correct ordinal addition. 

For the functions overs lists, 

append(nil, I) — > I 
append(cons(x,l),l') — > cons(x,append(l,l')) 
append(append(l,l'),l") — ■> append(l,append(l',l")) 

map(F, nil) — > nil 
map(F,cons(x,l)) — > cons((F x),map(F,l)) 
map(F,append(l,l')) — > append(map(F,l),map(F,l')) 
map(lx.x, I) — > / 

note that the three first rules, which define the concatenation append of two 
lists, are again usual first-order rules. The four next rules define the function 
map which successively applies the function F to the elements of some list. 
Note that the third and sixth rule use a matching over a function symbol, 
namely append. 



2.3 The General Schema 



We now proceed to describe the schema that the user-defined higher-order 
rules should follow. In particular, all examples of higher-order rules given so 
far satisfy this schema. It is inspired from the last two authors former General 
Schema [27,28] although the formulation is quite different. The new schema 
is more powerful and answers a problem left open with the former one, that 
is, the ability of capturing definitions like the one previously given for the 
addition on ordinals. The main property of the schema is that it ensures the 
termination property of the relation — U —*pn, for any set R of rules following 
the General Schema. This will be the subject of Section 3. 

In a function definition, in the case of a recursive call, we need a way to 
compare the arguments of the recursive calls in the right-hand side with the 
arguments of the left-hand side, and prove that they strictly decrease to ensure 
termination. What we expect to use as the comparison ordering is the subterm 
ordering or some extension of it. The one we are going to introduce is similar 
to Coquand's notion of "structurally smaller" [12] and will allow us to deal 
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with definitions like the addition on ordinals. The comparison between the 
recursive call arguments and the left-hand side arguments will then be done 
in a lexicographic or multiset manner, or a combination thereof, according to 
a status of the function symbol being defined. This status can be given by the 
user, or computed in non-deterministic linear time. 

In the following, we assume given a family {xj}j>i of variables. 

Definition 7 (Status ordering) A status is a linear term stat = lex(u\, 
. . . , u p ) (p > 1) where each ui is of the form mulix^, ■ ■ ■ ,%k q ) (q > 1) with 
x^, ■ ■ ■ , Xk q of the same type. The arity of stat is the greatest indice i such 
that Xi occurs in stat. The set Lex(stat) of lexicographic positions in stat is 
the set ofindicesi such that there exists j G {1, . . . ,p} for which Uj = mul(xi), 
that is, q = 1. 

Given a status stat of arity n, a strict ordering > on a set E can be extended 
to an ordering > stat on sequences of elements of E of length greater or equal 
to n as follows: 

• u > s tat v iff stat{x i— > u] > l g t at stat{x I— > v} 

• lex(u) > l s Zt iff u(>™l) lex v 

• mul{u) mul{v) iff {u} > mul {v} 

where >\ ex and > mu i denote the lexicographic and multiset extension of > 
respectively. 

For example, with stat = lex(x3,mul(x2,X4)), u > s tat v iff u% > V3 or else 
^3 = ^3 and {U2, U4} > mu i {V2, V4}. Note that a status ordering stat boils down 
to the usual lexicographic ordering if stat = lex((mul(xi), . . . ,mul(x n )) or to 
the multiset ordering if stat = lex(mul(xi, . . . ,x n )). An important property 
of status orderings is that > s tat is well-founded if > is well-founded. 

The notion of status will allow us to accept definitions like the ones below. 
For the Ackermann function Ack, we need to take the lexicographic status 
statAck = lex(mul(xi),mul(x2)) and, for the binomial function Bin(n,m) = 
C™ +n , we need to take the multiset status statsm = lex(mul(xi, x 2 )). 

Ack(0,y) -> s(y) 
Ack(s(x),0) -> Ack{x,s{0)) 
Ack(s(x), s(y)) — > Ack(x,Ack(s(x),y)) 
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Bin(0,m) -> s(0) 
Bm(s(n),0) -> s(0) 
Bin(s(n), s(m)) — > Bin(n, s(m)) + Bin(s(n),m) 

Apart from the notion of status, the other ingredients of our schema are new. 
We introduce them in turn. 

Definition 8 (Symbol definitions) We assume that each function symbol 
f of arity n > 1 comes along with a status statf of arity p such that 1 < p < n 
and a set Rf of rewrite rules defining f . We denote by R the set of all rewrite 
rules and by — > = — U —*p v the rewrite relation of the calculus. 

Assumption 2: We assume that the precedence >^ is well-founded and that 
statf = statg whenever f —r 9- 

The main new idea in the definition of the General Schema is to construct 
a set of admissible right-hand sides, once a left-hand side is given. This set 
will be generated inductively from a starting set of terms extracted from the 
left-hand side, called the set of accessible subterms, by the use of computabil- 
ity preserving operations. Here, computability refers to Tait's computability 
predicate method for proving the termination of the simply-typed /-calculus 
[46], which was later extended by Girard to the polymorphic /-calculus [22,24]. 

To explain our construction, we need to recall the basics of Tait's method. 
The starting observation is that it is not possible to prove the termination 
of /5-reduction directly by induction on the structure of terms because of the 
application case: in the untyped /-calculus, the term (Ix.xx Ix.xx) rewrites 
to itself although Ix.xx is in normal form. Tait's idea was to strengthen the 
induction hypothesis by using instead a property, the computability, implying 
termination. The computability predicate can be defined by induction on the 
type of terms as follows: for an inductive type s, take [s] = SN S , the set of 
strongly normalizable terms of type s (terms having no infinite sequence of 
rewrites issued from them). For a functional type s —> t, take [s — > t] = {w G 
L s_> * | Vf G [s], (u v) G It]}. From this definition, it is easy to prove that 
every computable term is strongly normalizable ([s] C SN S ) and that every 
term is computable (L s C [s]). Therefore, every term is strongly normalizable. 
The role of the General Schema when rewrite rules are added is to ensure that 
computability is preserved along the added rewritings. This is why we require 
that a right-hand side of rule is built up from subterms of the left-hand side, 
the accessible ones, by computability preserving operations: a set called the 
computable closure of the left-hand side. 

Definition 9 (Accessible subterms) Given a termv, the set Acc(v) of ac- 
cessible subterms of v is inductively defined as follows: 
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(1) v G Acc{v), 

(2) iflx.u G Acc(v) then u G Acc(v), 

(3) if C(u) G Acc{v) then each Ui G Acc{y), 

(4) if (u x) G Acc(v) and x £ FV(u) U FV(v) then u G Acc(v), 

(5) if u is a subterm of v of basic type such that Fv(u) C FV(v) then u G 
Acc{y). 

To see how this works, let us consider the examples of append and map given in 
Subsection 2.2. For the rule append(nil, I) — > 1,1 is accessible in the arguments 
of append by (1). For the rule append(cons(x, I), I') — > cons(x, append{l, /')), I 
is accessible in cons(x, I) by (3) and (1). The other rules are dealt with in the 
same way. Another example is given by the associativity rule of the addition 
on natural numbers: in the rule (x + y) + z — + x + (y + z), the variables x 
and y are accessible by (5). This does not work for the addition on Brouwer's 
ordinals since ord is not a basic inductive type. The cases (2) and (4) will be 
useful in the more complex examples of Section 4. 

We have already seen how to extract subterms from a left-hand side of rule. 
We are left with the construction of the computable closure from these sub- 
terms. Among the operations used for the computable closure, one constructs 
recursive calls with "smaller" arguments. We therefore need to define the in- 
tended ordering, which has to be richer than the usual subterm ordering as 
examplified by the last rule of the definition of the addition on Brouwer's 
ordinals: 

x + lim(F) — > lim(ln.(x + (F n))) 

We see that (F n), the second argument of the recursive call, is not a strict 
subterm of lim(F). Extending the General Schema so as to capture such def- 
initions was among the open problems mentioned in [28]. On the other hand, 
in a set-theoretic interpretation of functions as input-output pairs, the pair 
(n, (F n)) would belong to F, and therefore, (F n) would in this sense be 
smaller than F. This is what is done by Coquand with his notion of "struc- 
turally smaller" [12] which he assumes to be well-founded without a proof. 
Here, we make the same idea more concrete by relating it to the strict posi- 
tivity condition of inductive types. 

Definition 10 (Ordering on arguments) Let s be a type and u and v be 
two terms of type s. 

• If s is a strictly positive inductive type then u is greater than v , u > v , if 
there is p G Pos(u) such that p ^ e, v = (u\ p v) and, for all q < p, u\ q is 
constructor-headed. 

• Otherwise, u> v if v is a strict subterm of u such that FV(v) C FV(u). 
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We are now ready to define the computable closure of a left-hand side. 
Definition 11 (Computable closure) Given a symbol f G J~si,...,s n ,s> the 

— * — * 

computable closure CCf(l) of some term f(l) is inductively defined as the least 
set CC such that: 

(1) if x is a variable then x G CC, 

(2) ifuE Acc(l) then u G CC, 

(3) if u and v are two terms in CC of respective types ti — > t 2 and t\ then 
(u v) G CC, 

(4) ifueCC then Ix.u G CC, 

(5) if g G J-t 1: ...,t p ,tj 9 <T f an d Ui, . . . , u p are p terms in CC of respective 
types t±, . . . , t p then g(u) G CC, 

(6) if g G Tti.,...,t v ,u 9 = t f an d u±, . . . ,u p are p terms in CC of respective 
types ti, . . . , t p then g{u) G CC whenever: 

— * 

• I >stat f u > 

• if k > (k\ p v) then each V{ belongs to CC. 

Definition 12 (General Schema) A rewrite rule f(l) — > r follows the Gen- 
eral Schema (GS) if r G CCf{l) and, for every x G FV{r), x G Acc{l). 

As an example, let us prove that the definitions of append and map given 
in Subsection 2.2 indeed follow the General Schema. We already saw that 
the free variables occuring in the left-hand sides were all accessible hence, by 
(2), they belong to the computable closure (CC) of their respective left-hand 
side. For the rule append(cons(x,l),l') — > cons(x,append(l,l')), append(l,l') 
belongs to (CC) by (6) since / is a strict subterm of cons(x,l). For the rule 
map(F,cons(x,l)) — > cons((F x),map(F,l)), (F x) belongs to (CC) by (3), 
map(F,l) by (6) and the whole right-hand side by (5). The other rules are 
dealt similarly. 

In our previous definition of the General Schema, the computable closure was 
kind of implicit with, in particular, a poor accessibility relation and a case (7) 
in which the ordering used was always the strict subterm ordering. 

The main differences with Coquand's notion of "structurally smaller" [12] or 
its extension by Gimenez [20] are that: 

(1) we use statuses for comparing the arguments of the recursive calls with 
the left-hand side arguments (which include lexicographic comparisons), 

(2) we may compare a function-headed term or a /-headed term with one of 
its subterm while, in Coquand's definition, comparisons are restricted to 
constructor-headed terms. 

A main advantage of both notions of accessibility and computable closure is 
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their formulation: it is immediate to add new cases in these definitions. This 
flexibility should of course be essential when extending the schema to richer 
calculi. 

Given a user's specification following the General Schema, the question arises 
whether the following properties are satisfied: subject reduction, confluence, 
completeness of definitions and strong normalization. Subject reduction fol- 
lows easily. Confluence reduces to local confluence once strong normalization 
is satisfied and can therefore be checked on the critical pairs. Completeness 
of definitions is necessary for the recursor definitions to make sense in our 
Curry-Howard interpretation of types. Checking it can be done by solving 
(higher-order) disequations. As recalled in [28], this can be done automati- 
cally for a reasonable fragment of the set of second order terms. In the next 
section, we address the remaining problem, strong normalization. 



3 Strong normalization 

In this section, we prove that the rewrite relation — > = U —>p v is termi- 
nating, i.e. there is no infinite sequence of rewrites, whenever all rules of R 
satisfy the General Schema. Due to the formulation of the schema, our proof 
here is much simpler than the one in [28], although the schema is more gen- 
eral. It is again based on Tait's computability predicate method. See [19] for 
a comprehensive survey of the method. 

We first define the interpretation of types and prove important properties 
about it. In a second part, we prove a computability property for the function 
symbols: assuming that the rules satisfy the General Schema, a term headed 
by a function symbol is computable whenever its arguments are computable. 
Strong normalization follows then easily. 

3. 1 Interpretation of types 

Definition 13 (Interpretation of types) The interpretation \s\ of a type 
s G T is inductively defined as follows: 

• [s G Z] is the set of terms u G SN S such that, for all term C{u) such that 
u — >* C{u), each Ui G \si\, 

. {s^t\ = {ueL^ t \^ve{sl {uv)e\t\}. 

In the following, we will say that a term of type s is computable if it belongs to 
\s\ and that a substitution 6 is computable if, for every variable x G dom{6) D 
X s ,x6e\s\. 
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The reason why we need such a complex interpretation is because we need the 
property that the arguments of a computable constructor-headed term are 
computable. Meanwhile, we will see in Lemma 16.7 just below that, in case of 
a basic inductive type s, the interpretation is merely SN S . 

But, first, we show that our definition makes sense. 

Lemma 14 For every type s G T, [s] is uniquely defined. 



PROOF. It suffices to prove that it holds for every inductive type s G Z. 
For the sake of simplicity, we assume that =j is the identity, that is, there is 
no mutually inductive types. At the end, we tell how to treat the general case 
which, apart from the notations, is no more difficult. Let V(SN S ) be the set 
of subsets of SN S . V(SN S ) is a complete lattice with respect to set inclusion 
C. We show that [s] is uniquely defined as the least fixpoint of a monotone 
functional over this lattice. The proof is by induction on >j which is assumed 
to be well-founded. 



We define the following family of functions F s : V(SN S ) -> V(SN S ) indexed 
by inductive types: 

F B (X) = X U jw G SN S if u ^* C{u) then each Ui G R Si (X) }, 
[t] if t = t G 1 and s > T t 

X if t = B 

R tl (X) - R t2 (X) if t = h^t 2 



where R t (X) 



Since inductive types are assumed to be (strictly) positive, F s is monotone. 
Hence, from Tarski's theorem, it has a least fixed point, [s]. 

In case of mutually inductive types, the function F s operates on a product of 
subsets of SN Sl x . . . x SN Sn if si, . . . , s n are all the inductive types equivalent 
to s, which is again a lattice. Apart from the notations, the argument is 
therefore the same. 



We showed that each [s] is the least fixpoint of the monotone functional F s . 
This least fixpoint can be reached by transfinite iteration. Let F s a be the a-th 
iterate of F s over the empty set. Note that we need to go further than oo as 
it is shown by the following example. Consider the function / : nat — > ord 
defined by the following rules: 
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/(O na t) — > O ord 



/(snatH) Um(lx.f(n)) 
For all n, /(n) G JC+ 1 \ F" d . Thus, lim(lx.f(x)) G F^ 1 \ F^. 
This provides us a well-founded ordering on the computable terms of type s: 

Definition 15 (Ordering on the arguments of a function symbol) The 

order of a term t G [s] is the smallest ordinal a such that t G F*. We say 
that t G [s] is greater than u G [s], £ >- u, if: 

• s G X and £/ie order o/£ greater than the order of u, 

• s = Si — > S2 t — > UO tt. 

This is this ordering which allows us to treat the definitions on strictly positive 
types. This idea is already used by Mendler for proving the strong normaliza- 
tion of System F with recursors for positive inductive types [36] and by Werner 
for proving the strong normalization of the Calculus of Inductive Construc- 
tions with recursors for strictly positive types [51]. We apply this technique 
to a larger class of higher-order rewrite rules. 

Let us see the example of the addition on Brouwer's ordinals. If lim(f) is 
computable then, by definition of [ord], / is computable. This means that, 
for any n G [nat], (/ n) is computable. Therefore, lim(f) >- (/ n). 

Lemma 16 (Computability properties) A term is neutral if it is not an 

abstraction nor constructor-headed. 

(1) Every computable term is strongly normalizable. 

(2) Every strongly normalizable term of the form (x u) is computable. 

(3) A neutral term is computable if all its immediate reducts are computable. 

(4) (Ix.u v) is computable if v is strongly normalizable and u{x \— > v} is 
computable. 

(5) A constructor-headed term C(u) is computable if the terms in u and all 
the immediate reducts of C(u) are computable. 

(6) Computability is preserved by reduction. 

(7) If s G X is a basic inductive type then [s] = SN S . 



PROOF. 

(1) and (2) are proved together by induction on the type s of the term. 
s = s G X: 

(1) [s] C SN S by definition. 
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(2) Every strongly normalizable term (x u) of type s is computable since 
it cannot reduce to a constructor-headed term. 

S — S\ — > S2 : 

(1) Let u be a computable term of type s and x be a variable of type 
S\. By induction hypothesis, x G [si] hence, by definition of the 
interpretation for s, (u x) G \s^. By induction hypothesis again, 
(u x) G SN S \ Therefore, u G SN S1 ^ S \ 

(2) Let (x u) be a strongly normalizable term of type s and let v G {si}. 
By induction hypothesis, t> G S7V Sl and (x u v) G [s 2 |. Therefore, 
(xtf)G[ai]. 

(3) is proved again by induction on the type s of the term. 
s = s G X: 

Let w be a neutral term of type s whose immediate reducts belong to [s]. 
By (1), its immediate reducts are strongly normalizable, hence u G SN S . 
Suppose now that u reduces to a constructor- headed term C{v). Since u 
is neutral, it cannot be itself constructor-headed. Hence, C(v) is a reduct 
of some immediate reducts u' of u. By definition of s and since u 1 G [s] 
by assumption, the terms in v are computable. Therefore u G [s]. 

S = S\ — > S2- 

Let u be a neutral term of type s whose immediate reducts are computable 
and let v G [si]. By (1), v G S*^ 81 . Therefore, — > is well-founded on the 
set of reducts of v. 

Then, we prove that the immediate reducts of (u v) belong to [§2], by 
induction on v w.r.t. — >. As w is neutral, an immediate reduct of (u v) 
is either of the form (u' v) where v! is a reduct of u, or else of the form 
(u v 1 ) where v' is a reduct of v. In the first case, since u' is computable by 
assumption, (u' v) G \s 2 \. In the second case, we conclude by induction 
hypothesis on v '. 

As a consequence, since (u v) is neutral, by induction hypothesis, 
(u v) G [s 2 ]. Therefore, w is computable. 

(4) Since (Ix.u v) is neutral, by (3), it suffices to prove that each one of its 
reducts is computable. The reduct u{x 1— > v} is computable by assumption. 
Otherwise, we reason by induction on the set of the reducts of u and v 
(which are both strongly normalizable) with — > as well-founded ordering. 

(5) Let C(u) be a constructor- headed term such that the terms in u and all its 
immediate reducts are computable. Then, it is strongly normalizable since, 
by (1), all its immediate reducts are strongly normalizable. Now, let D{y) 
be a constructor- headed term such that C(u) ^* D(v). If D(v) = C{u) 
then the terms in v — u are computable by assumption. Otherwise, there is 
an immediate reduct v of C(u) such that v ^* D(v). Since, by assumption, 
v is computable, the terms in v are computable. Hence, C(u) is computable. 

(6) is proved again by induction on the type s of the term. 
s = s G X: 

Let u G [s] and u' be a reduct of u. By (1), u G SN S , hence u' G SN S . 
Besides, if u' reduces to a constructor- headed term C (v) then u reduces to 



18 



C{v) as well. Therefore, by definition of [s], the terms in v are computable 
and u' G [s]. 

S = S\ — >■ S2~ 

Let u be a computable term of type s, u' be a reduct of tx and v G [si]. 

(u' f) is a reduct of (u t>) which, by definition of [s], belongs to [s 2 ]. 

Hence, by induction hypothesis, (V t>) G [S2] and -u' is computable. 
(7) By (1), [s] C SN S . We prove that SN S C [s], by induction on SiV s with 
— > U > as well-founded ordering. Let u G S^/V 8 and suppose that u ^* C('jT) 
where C G C(s). Since s is basic, r(C) = Si — > . . . — > s n — > s where each 
Sj is also a basic inductive type. Each i>j is strongly normalizable hence, by 
induction hypothesis, each vi is computable. Therefore, u is computable. 



3.2 Computability of function symbols 

We start this paragraph by proving that accessibility is compatible with com- 
putability, that is, any term accessible in a computable term is computable. 
Then, we prove the same property for the computable closure. 

Lemma 17 (Compatibility of accessibility with computability) Let v 

be a term and 6 a computable substitution such that dom(8) C FV(v) and v9 
is computable. If u is accessible in v and 6' is a computable substitution such 
that dom{6') fl FV(v) = then u66' is computable. 



PROOF. By induction on u G Acc(v). 

(1) The case u — v is immediate since u99' = v68' = vO. 

(2) Ix.u G Acc{v). 9' = 9" \S{x^ x9'} with x £ dom{9"). u99' = u99"{x h-> 
x9'} is a reduct of (lx.u99" x9'). dom(9")nFV(v) = hence, by induction 
hypothesis, lx.u99" is computable. Therefore, u99' is computable since, 
by assumption on 9', x9' is computable. 

(3) u = Ui and C(u) G Acc(v). By induction hypothesis, C(u99') is com- 
putable. Therefore, by definition of computability for inductive types, 
u99' is computable. 

(4) (u x) G Acc(v) and x ^ FV{u) U FV(v). u must be of type s — > t and 
x (jz dom{9'). Then, let w be a computable term of type s and 6" = 
9' tt) {x 1 — y w}. dom(9") fl FV(u) = hence, by induction hypothesis, 
(u x)99" = (u99' w) is computable. Therefore u99' is computable. 

(5) u is a subterm of v of basic type such that FV(u) C Since 
Fy(tt) C FV(tt), -u^^' = u9 is a subterm of Since is computable, 
hence strongly normalizable, its subterm u9 is also strongly normalizable, 
hence computable, since it is of basic type. 
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Lemma 18 (Computability of function symbols) Assume that the rules 
of R satisfy the General Schema. For every function symbol f , if f(u) is a term 
whose arguments are computable, then f(u) is computable. 

PROOF. The proof uses three levels of induction: on the function symbols 
ordered by >jr (HI), on the arguments of / (H2) and on the right-hand side 
structure of the rules defining / (H3). 

After Lemma 16.3 and 16.5 (the terms in u are computable by assumption), 
f(u) is computable if all its immediate reducts w are computable. We prove 
that by induction on (u, u) with {y~ s tat f , ~^iex)iex as well-founded ordering (H2). 

If the reduction does not take place at the root, then w = f(u') with u ^i ex 
u' . Since computability predicates are stable by reduction, the terms in u' 
are computable. Now, it is not difficult to see that >- is compatible with — >, 
that is, u >z u' whenever u — > u' . Hence, by induction hypothesis (H2), w is 
computable. 

— * 

If the reduction takes place at the root, then there are a rule f(l) — > r and a 
substitution 9 such that dom(6) = FV(l), u — 16 and w = rO. By definition 
of the General Schema, every variable x free in r is accessible in I. Hence, by 
Lemma 17 (take the identity for 9'), for all x G FV(r), x9 is computable since, 

— * 

by hypothesis, the terms in 19 = u are computable. Therefore the substitution 
9\fv{t) is computable. 

We now show by induction on r G CCf(l) that, for any computable substitution 
& such that dom(9') n FV(r) = 0, r99' is computable (H3). 

(1) r is a variable x. If x e dom{99') then r99' = x99' is computable since 
99' is computable. If x ^ dom{99') then r99' = x is computable since any 
variable is computable. 

(2) r G Acc(l). By Lemma 17. 

(3) r = (v w) with v and w in CCf(l). By induction hypothesis (H3), v99' and 
w99' are computable. Therefore, by definition of computability predicates, 
r99' is computable. 

(4) r = Ix.v with v G CCf(l). Let s — > £ be the type of r and to be a 
computable term of type s. By induction hypothesis (H3), v99'{x i— > u>} 
is computable. Hence, by Lemma 16.4, r^' is computable. 

(5) r = (?(#) with g <t f and each i>j G CCf(l). By induction hypothesis 
(H3), each vfi9' is computable. Hence, by induction hypothesis (HI), 
r99' is computable. 

(6) r = g({7) with g =jr /, each t>j G CCf(l) and / > s t a t / v. By induction 
hypothesis (H3), each V{99' is computable. We show that 199' >~ s t a t f v99' . 
• Assume that U > Vj and U is of type a strictly positive inductive type s. 
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By definition of >, there is p G Pos(li) such that p^e, Vj = {li\ p v) and, 
for all q < p, li\ q is constructor-headed. By assumption, each V{ belongs 
to the computable closure. So, by induction hypothesis (H3), Vi66' is 
computable. Now, li\ p has a type of the form s — > s. Let s 9 be the type 
of Since >j is well-founded, all the s g 's are equivalent to s. Thus, 
if p = i ± . ..i k+l then kee' y h\ H 99' y . . . I, , . ,, 00' y (l t \ p 00' vOO'). 
• Vj is a strict subterm of U such that FV(vj) C Hence, VjOO' is 

a strict subterm of LfiO' and 1^00' >- LfiO' . 
Therefore, by induction hypothesis (H2), rOO' is computable. 

We are now able to prove the main lemma for strong normalization, i.e. every 
term is computable. The strong normalization itself will follow as a simple 
corollary. 

Lemma 19 (Main lemma) Assume that all the rules of R follow the Gen- 
eral Schema. Then, for every term u and computable substitution , uO is 
computable. 

PROOF. We proceed by induction on the structure of u. 

(1) u is a variable x. If x e dom{6) then uO = xO is computable since is 
computable. If x ^ dom{6) then uO = x is computable since any variable 
is computable. 

(2) u — f{u). By induction hypothesis, each v$ is computable. Therefore, by 
Lemma 18, uO is computable. 

(3) u = Ix.v. Let s — > £ be the type of «, to be a computable term of type 
s and 0' = l±l i— > w}. By induction hypothesis, t>6>' is computable. 
Therefore, by Lemma 16.4, (w# u>) is computable and uO also. 

(4) u — (v w). By induction hypothesis, vO and are computable. There- 
fore, by definition of computability, uO is computable. 

Theorem 20 (Strong normalization) Under the assumptions 1 and 2, the 
combination of 

(1) the simply-typed l-calculus with Prj -reductions and 

(2) higher-order rewrite rules following the General Schema 

is strongly normalizing. 

PROOF. Since a computability predicate of type s contains all variables of 
type s, the identity substitution is computable. Hence, by Lemma 19, every 
term is computable. And since computable terms are strongly normalizable, 
every term is strongly normalizable. 
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4 Examples and Extensions 



In this section, we present several applications and current limitations of the 
General Schema termination proof method. 



4-1 Recursors for strictly positive types 

We already saw that the addition on Brouwer's ordinals follows the General 
Schema. This is also true of the recursor on Brouwer's ordinals [45], as the 
user can easily check it: 

ordrect(X, F, Z, 0) -> X 
ordrect(X, F, Z, s(n)) — > (Y n ordrec t (X, Y, Z, n)) 
ordrec t {X, Y, Z, lim(F)) -> (Z F ln.ordrec t {X, Y, Z, (F n))) 

where ordrec t is of type t — > (ord — > t — > t) — > ((nat — > ord) — > (nat — > — > 
t) -> ord -> i. 

This is true as well of the recursors on mutually inductive types, such as the 
type for trees: 

treerec t (X, Y, Z, node(l)) — > (X I listtreerec t (X, Y, Z, /)) 
listtreerect(X,Y, Z,nil) — > F 
listtreerect(X,Y, Z,cons(x,l)) — > 

(Z x / treerect(X , F, Z, x) listtreerec t (X, F, Z, /)) 

The same property is actually true of arbitrary strictly positive inductive 
types. The general case is no more difficult apart for the more complex nota- 
tions. 

The uniqueness rules for recursors of basic inductive types were studied in [41] 
and extended to the strictly positive case in [26] . In both cases, the termination 
proof did not use the General Schema since the uniqueness rules do not seem 
to fit the General Schema. It is open whether one could modify the schema to 
cover this kind of rules. 
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4-2 Curried function symbols 



We have assumed that all function symbols come along with all their argu- 
ments. This is due to the fact that rj together with rewrite rules over curried 
symbols lead to non- confluence. Take for example id : nat — > nat defined by 
(id x) — > x. Then, Ix.x <— lx.[id x) — ^ id. 

Using curried symbols, however, is possible to the price of duplicating the 
vocabulary as follows: for each function symbol / of arity n > 0, we add a 
new function symbol f c of the same type as / but of arity 0, defined by the 
rule 

/ ► lX\ . . . lx n .f[X\ ) . . . , Xn) 

which satisfies the General Schema. Here is an example of definition of the 
sum of a list of natural numbers using the foldl function: 

foldl(F,x,nil) — > x 

foldl{F, x, cons{y, /)) -> foldl(F, (F x y), I) 

+ c — > Ixy.x + y 

sum(l) -»• foldl(+ c ,0,l) 



4-3 First- order rewriting 



In [28], the last two authors proved that it was possible to combine higher-order 
rewrite rules following the General Schema with a first-order rewrite system 
whose rules decrease in some rewrite ordering and are non-duplicating (ie. no 
free variable occurs more often in the right-hand side than in the left-hand 
side) , a condition needed to avoid Toyama's counter-example to the modularity 
of termination [47]. It is of course possible to do the same here, using Lemma 
24 of [28], an analog of Lemma 18 for first-order functions symbols. 

Below, we give an example which cannot be proved to terminate by our 
method: let — and / be the subtraction and division over natural numbers. 
Note that — follows the General Schema while / does not and that the last 
rule is duplicating the variable y: 

0-y^0 x I -> x 

s(x) - -> s(x) / s(y) -> 

s(x)-s(y) -> x-y s(x) / s(y) -> s((x - y) / s(y)) 
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In [21], Gimenez proposes a terminating schema using a notion of subtyping 
which allows to prove the strong normalization property of this example. 

However, we do not think this is a real issue. Non-termination does not neces- 
sarily imply logical inconsistence, i.e. False is provable. In the case of Toyama's 
counterexample to the modularity property of termination, the union of the 
two original confluent and terminating rewrite systems is not terminating, but 
every term has a computable normal form. We believe, hence conjecture, that 
this property is enough here to ensure that False cannot be derived in the 
combined calculus. 



4-4 Conditional rewriting 



A conditional rule is a triple written (I — > r if C) where C is a condition of 
the form U\ — Vi A . . . A u n — v n with FV(C) C FV(l), meaning that / — > r 
may be applied only if the terms of each pair (lij, i^) have a common reduct. 
The conditional rule: 

I — > r if u\ = vi A . . . A u n = v n 
can be encoded with the two non-conditional rules: 

I -> eq n (u 1 ,v 1 , . . . ,u n ,v n ,r) 

The second rule satisfies the General Schema quite trivially. We therefore say 
that a conditional rule follows the General Schema if I — > r follows the General 
Schema and ui, . . . , u n , v n are all in the computable closure of /. Hence, 
after Theorem 20, if all the conditional rules satisfy the General Schema, then 
— > U — >^ is strongly normalizing. 

A well-known example is given by an insertion function on lists. 



insert(x, nil) 
insert(x, cons(y, I)) 
insert(x, cons(y, I)) 
m/(0, x) 
inf(s(x),0) 
inf(s(x),s(y)) 



cons(x, nil) 

cons(x,cons(y,l)) if inf (x , y) — true 

cons(y,insert(x,l)) if inf (x,y) — false 

true 

false 

inf(x,y) 
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4-5 Congruent types 



We are going to see that our method can easily cope with basic inductive 
types whose constructors satisfy some (first-order) equations, provided that 
these equations form a weakly-normalizing term rewriting system, that is, such 
that every term has a unique normal form. In this case, the initial algebra of 
the inductive type is equivalent to its normal form algebra and the latter can 
be represented by the accepting states of a finite tree automaton of some form 
[7,11]. The important property of this automaton is that the set of terms 
recognized at every accepting state is recursive and the predicate of this state 
is actually easy to define. We show the construction for the simple example of 
integers. The general case of an arbitrary basic inductive type is no different. 

The inductive type int is specified with the constructors 0, s and p for zero, 
successor and predecessor respectively, and the two equations: s(p(x)) = x 
and p(s(x)) = x, which are easily turned into a first-order convergent term 
rewriting system {s(p(x)) — > x, p(s(x)) — > x} whose normal forms are rec- 
ognized by the automaton given at Figure 1. This automaton can be easily 
constructed by solving disequations over terms (see [11,38]). 




Fig. 1. Automaton 

Then, the recursor on integers may be defined by the following set of constraint 
rules: 

intrect(X,Y,Z,0) -> X 
intrect(X,Y, Z, s(x)) — > (Y x intrec(X,Y, Z,x)) if s(x) G Pos 
intrect(X,Y, Z,p(x)) — > (Z x intrec(X, Y, Z, x)) if p(x) G Neg 

As usual, it is then possible to define other functions such as the addition by 
the use of the recursor: 

x + y -> intrec int (x,lxy.s(y),lxy.p(y),y) 

which is equivalent to the following pattern-matching definition: 
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x + — > x 
x + s(y) — > s(x + y) if s(y) G Pos 
x + p(y) — > p(rr + y) if p(y) & Neg 

but to which we may add, for example, the rule for associativity: 

(x + y) + z — > x + (y + 2) 

or, by a completely different definition which does not make use of the au- 
tomaton but makes use of the signature present in the user's specification 
only: 



x + — > x 
x + s(y) — > s(x + y) 
x + p(y) — > p(x + y) 



s(p(x)) — > X 
p(s(x)) — > X 



It is of course a matter of debate whether the normal form computations 
should be made available to the users, like the recursors, or should not. We 
have no definite argument in favor of either alternative. 

We have assumed that the specification of constructors was a weakly nor- 
malizing (in practice, a confluent and terminating set) of rewrite rules. The 
method applies as well when some constructor is commutative or, associa- 
tive and commutative (with some additional technical restriction). See [7] for 
more explanations and additional references. Whether it can be generalized 
to non-basic inductive types is however open. 



4-6 Matching modulo (3rj 



In this section, we address the case of higher-order rewrite rules d la Nipkow 
[39], based on higher-order pattern-matching with patterns a la Miller [37]. We 
give here several examples taken from [39], [48] or [42], and recall why plain 
pattern-matching does not really make sense for them. On the other hand, 
we will see that all these examples follow the General Schema: we explain the 
first example in detail and the user is invited to check the others against our 
definitions. 

We start with the example of differentiation of functions over the inductive 
type R: 
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x xl —> x ixO ^ x + — > x 

/ x -> 

lxi -» i Oxi ^ + x — > x 



D(lx.y) - 


-> Zx.O 


D(lx.x) - 


-> Zx.l 


D(lx.sin(F x)) - 


-> lx.cos{F x) x (D(F) x) 


D(lx.cos(F x)) - 


-> Zx. - sm(F x) x (D(F) x) 


D(lx.(F x) + (G x)) - 


-> lx.(D(F) x) + (-D(G) x) 


D(lx.(F x) x (G x)) - 


-> lx.(D(F) x) x (G x) + (F x) x (-D(G) x) 


D(lx.ln{F x)) - 


-> lx.(D(F) x) / (F x) 



Note first that we cannot have composition explicitly as a constructor of the 
inductive type R, since the positivity condition would be violated. We could 
define it with the rule Fo G — > lx.(F (G x)), but then, in D(Fo G), F and 
G are not accessible since they are not of basic type and, in D(lx.(F (G x))), 
F is not accessible since it is not applied to distinct bound variables, a con- 
dition also required for patterns in Nipkow's framework. This explains why 
composition is encoded in each rule by using the application operator of the 
Z-calculus. 

The rules defining x, + and / are usual first-order rules. We could restrict 
the use of the last one to the case where x is different from 0. Of course, 
this is not possible with a faithful axiomatization of reals, since equality to 
is not decidable for the reals. As for the other rules, D(lx.y) — > Zx.O states 
that the differential of a constant function (equal to y) is the null function. 
The definition of substitution ensures here that x cannot occur freely in an 
instance of y, hence y is a constant with respect to x (although it may depend 
on other variables free in the rewritten term). The rule D{lx.x) — > Zx.l states 
that the differential of the identity is the constant function equal to 1. The 
next rule, D(lx.sin(F x)) — > lx.cos(F x) x (D(F) x), defines the differential 
of a function obtained by composing sin with some other function F . The 
other rules speak for themselves. 

Assume now that we use first-order pattern-matching for these rules. Then, 
we would not be able to differentiate the function lx.sin(x) by computing 
D(lx.sin(x)), because no rule would match. Of course, we could give new 
rules for this case, but this would be an endless game. The use of higher-order 
matching, on the other hand, chooses the appropriate value for the higher- 
order free variables so as to cover all cases. 

The local confluence of these rules can be checked on higher-order critical 
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pairs, as shown by Nipkow [39,34]. The computation of these critical pairs can 
be done in linear time [43], thanks to the hypothesis that the left-hand sides 
are patterns. 

We now show that this example follows the General Schema, by showing first 
that the free variables of the right-hand sides are accessible in their respective 
left-hand side. For the rule D(lx.y) — > lx.0, y is accessible in Ix.y by cases (1) 
and (2). For the rule D(lx.sin(F x)) — > lx.cos(F x) x (D(F) x), F is accessible 
in lx.sin(F x) by (1), (2), (3) and (4). Now, it is not difficult to check that the 
right-hand sides belong to the computable closure of their respective left-hand 
side. 

Prehofer and van de Pol prove the termination of this system (with higher- 
order pattern-matching) by defining a higher-order interpretation proved to be 
strictly monotonic on the positive natural numbers [42], a method developed 
by van de Pol [48] that generalizes to the higher-order case the interpretation 
method of first-order term rewriting systems. One can easily imagine that it 
is not easy at all to find higher-order interpretations. Here, D needs to be 
interpreted by a functional which takes as arguments a function / on positive 
natural numbers and a positive natural number n, for example the function 
(/, n) i — y 1+nx f{n) 2 . Furthermore, the interpretation method is not modular, 
the adequate interpretation of each single function symbol depending on the 
whole set of rules. This makes it difficult to use by non-experts. 

The next example is taken from process algebra [44]: 

p + p — > p 

(p + q);r -> (p ; q) + (q ; r) 

(p;q);r -> p;(q;r) 

p + 5 — > p 

5;p -> 5 

Y,(ld.p) — > p 

E(X) + (X d) -> E(A") 

Y,{ld.{X d) + (Y d)) -> S(X) + E(Y) 

E(X) ;p -> E(ld.(X d) -p) 



Note that the left-hand side of rule S(X) + (X d) is not a pattern a la Miller. 
As a consequence, Nipkow's results for proving local confluence do not apply. 
Termination of these rules is also proved in [48]. To see that this example 
follows the General Schema, it suffices to take the precedence defined by ; > 
5, E and E > +. The rule S(X) + (X d) — > S(X), which is a simple projection, 



28 



is dealt with by case (2). 



The last example, the computation of the negative normal form of a formula, 
is taken from logic (we give only a sample of the rules): 

-Hp)) -> V 

"■(pAg) -> --(p)V-.(g) 
->(V(P)) -> 3(kn(Pi)) 

Of course, the fact that all the above examples follow the General Schema does 
not imply that Nipkow's rewriting terminates. However, we conjecture that it 
does and that it is due to the use of patterns in the left-hand sides. To prove 
our conjecture, we essentially need to show that higher-order pattern-matching 
preserves computability. This has been recently proved by the first author 
in [5], where the framework described here is extended into a typed version 
of Klop's higher-order rewriting framework [31], and where Nipkow's higher- 
order Critical Pair Lemma is shown to apply to this extended framework also. 



4-7 Rewriting modulo additional theories 

It is of general practice to rewrite modulo properties of constructors (implying 
that the underlying inductive type is a quotient) or defined symbols. Usual 
properties, as in presentations of arithmetic, are commutativity or, commuta- 
tivity and associativity. In our encoding of predicate calculus, there is a less 
common kind of commutativity of bound variables, expressed by the equation: 

V(lx.V(ly.(P x y))) = V(ly.V(lx.(P x y))) 

We now give (a sample of) the rules for the computation of the prenex normal 
form of a formula: 

V(P)Aq -> V(lx.(Px)Aq) 
pAV(Q) -> y(lx.p A (Q x)) 

The above set of rules is confluent modulo the previous equation (but would 
not be confluent directly). Note that matching modulo the equation is not 
necessary here because of the form of the left-hand sides of rules. 

We end this list with "miniscoping" , an operation inverse of the prenex normal 
form: 
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y(ix.p) — > p 



V(lx.(P x) A (Q x)) -> V(P)AV(Q) 
V(lx.(Px)Vq) -> V(P)Vg 
V(kpV(Qi)) -> pVV(Q) 

These examples follow our schema as well. Of course, this does not prove strong 
normalization, since we did not prove that the schema is compatible with such 
theories. The generalization is quite straightforward for commutativity but 
needs more investigations for more complex theories such as the above one or, 
associativity and commutativity together. 



5 Conclusion 

This paper is a continuation of [28]. Our most important contributions are the 
following: 

(1) Our new General Schema is strong enough so as to capture strictly posi- 
tive recursors, such as the recursor for Brouwer's ordinals, without com- 
promising the essential properties of the calculus. The strong normal- 
ization proof for this extension is again based on the Tait and Girard's 
computability predicates technique and uses in an essential way the strict- 
positivity condition of the inductive types. 

(2) The new formulation of the schema makes it very easy to define new 
extensions, by simply adding new cases to the definition of "accessibility" , 
or new computability preserving operations in the "computable closure" . 

(3) The notion of "computable closure" is an important concept which has 
already be used in a different context [29] . 

(4) Several precise conjectures have been stated. The most important two, in 
our view, are the use of the General Schema to prove the strong normal- 
ization of higher-order rewriting d la Nipkow on the practical side, and 
the generalization of the schema to capture (non-strictly) positive induc- 
tive types on the theoretical one. The first conjecture has been recently 
solved by the first author in [5]. 

Another kind of extension should now be considered, by considering a richer 
type system, which we did in [6], keeping the same definition for the rules 
and the General Schema. But a richer type system allows us to have richer 
forms of rewrite rules: the General Schema should therefore be adapted so as 
to allow for rules of a dependent type and even rules over types. Experience 
shows that the latter kind of extension raises important technical difficulties. 
Strong elimination rules in the Calculus of Inductive Constructions [51] or the 
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rules defining a system of Natural Deduction Modulo [17,18] are of that kind. 
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